name: "CodeQL" on: push: branches: [ "main" ] paths-ignore: - 'docs/**' - '**/*.md' pull_request: branches: [ "main" ] paths-ignore: - 'docs/**' - '**/*.md' schedule: - cron: '33 6 * * 5' workflow_dispatch: permissions: # set top-level default permissions as security best practice contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name == 'workflow_dispatch' }} cancel-in-progress: true jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write strategy: fail-fast: false matrix: language: [ 'actions', 'cpp', 'python' ] steps: - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: submodules: recursive persist-credentials: false - name: Set up Python if: matrix.language != 'actions' uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.11' - name: Upgrade pip if: matrix.language != 'actions' run: python -m pip install --upgrade pip # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: ${{ matrix.language }} config: | queries: - uses: security-extended - uses: security-and-quality paths-ignore: - '.setuptools-cmake-build/**' - 'build/**' - 'onnx/**/*_pb2.py' - 'onnx/**/*_pb2.pyi' - '**/*.pb.cc' - '**/*.pb.h' - 'onnx/backend/test/data/**' query-filters: - exclude: id: py/import-and-import-from # Install onnx so that it is found by the linters - name: Install ONNX if: matrix.language != 'actions' run: | export ONNX_ML=1 export ONNX_BUILD_TESTS=1 pip install . - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:${{matrix.language}}"